Fortinet black logo

Handbook

6.6.1
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

Built-in fail-open bypass

Built-in fail-open bypass

The following FortiDDoS-F models built-in copper and/or optical bypass (fail-open) mechanisms:

  • FortiDDoS-200F

    • Active fail-open bypass on copper (RJ-45) network connections 1-8. Fail-open operates at any speed up to 1Gbps but both link speeds must match.

    • Active optical fail-open bypass on Ports 13-16. Bypass ports support GE Short-Range, Multi-Mode fiber only, with LC connectors. GE transceivers are built-in to the chassis.

  • FortiDDoS-1500F - Active optical fail-open bypass on Ports 5-8. Ports support 10GE Short-Range, Multi-Mode fiber only, with LC connectors. 10GE transceivers are built-in to the chassis.

  • FortiDDoS-1500F-LR - Active optical fail-open bypass on Ports 5-8. Ports support 10GE Long-Range, Single Mode fiber only, with LC connectors. 10GE transceivers are built-in to the chassis.

  • FortiDDoS-2000F - Passive optical fail-open bypass ports support two fail-open links when cross-connected to any two port pairs from 1-2 or 3-4 (10GE) and/or from 5-6 or 7-8 (40GE). Transceivers in ports 1-8 must be 10GE or 40GE, Single Mode fiber only, with LC connectors. The bypass ports will support any DR, LR, ER or ZR transceiver using 1310 or 1550nm optics.

  • FortiDDoS-3000F - Passive optical fail-open bypass ports support two fail-open links when cross-connected to any two port pairs from 1-2 or 7-8 (40GE/100GE) and/or from 3-4 or 5-6 (10GE). Transceivers in ports 1-8 must be 10GE, 40GE or 100GE, Single Mode fiber only, with LC connectors. The bypass ports will support any DR, LR, ER or ZR transceiver using 1310 or 1550nm optics.

  • All other ports on any F-Series model do not support fail-open. An external bypass bridge/switch is required if extra fail-open ports are needed.

You can use the Global Protection > Deployment > Deployment tab to configure the internal bypass mechanism to fail open or fail closed for F-Series appliances.

By default, the interfaces are configured to fail open. This means that under failure conditions the interfaces pass traffic through without performing any monitoring or prevention tasks. Packets that arrive at ingress ports are simply transferred to the corresponding egress ports, just like a wire or optical cable.

If you use an external bypass solution, configure the interfaces to fail closed. This means traffic is not forwarded through the interfaces when FortiDDoS fails. An external bypass system detects the outage and routes traffic around the FortiDDoS.

If you deploy an active-passive cluster, configure the interfaces on the Primary node to fail closed so the adjacent switches can select the secondary node. The secondary unit can be set to fail closed or fail open, depending on how you want to handle the situation if both FortiDDoS nodes are down.

The table below summarizes bypass behavior for a sequence of system states. During boot up, system processes are started. When boot up is complete the appliance exits the bypass state. Traffic is routed through the system, is monitored, and policies enforced.

In the event of failure, manual or system-caused reboot, system processes are unavailable because they are either being restarted or shut down, and the appliance enters the bypass state.

System state and bypass

User Option State 1 Power Off State 2 Just Powered Up State 3 Boot Up Process State 4 System Ready State 5 Failure or Reboot State 6 Power Off
Fail Open Bypass Bypass Bypass Traffic Processed Bypass Bypass
Fail Closed Closed Closed Closed Traffic Processed Closed Closed

In addition to the automatic bypass settings, the following models support manual bypass with the following CLI command:

execute bypass-traffic {enable | disable}

This command forces the appliance interfaces to fail open. This command does not have an option to force a fail closed.

Note: If you use the CLI command to initiate bypass, you must use the CLI command to disable that state.

Use carefully since there is currently no status check to confirm the bypass state.

The manual bypass-traffic enable state is not persistent after reboot. If the appliance is rebooted, it will return inline.

Previous
Next

Built-in fail-open bypass

The following FortiDDoS-F models built-in copper and/or optical bypass (fail-open) mechanisms:

  • FortiDDoS-200F

    • Active fail-open bypass on copper (RJ-45) network connections 1-8. Fail-open operates at any speed up to 1Gbps but both link speeds must match.

    • Active optical fail-open bypass on Ports 13-16. Bypass ports support GE Short-Range, Multi-Mode fiber only, with LC connectors. GE transceivers are built-in to the chassis.

  • FortiDDoS-1500F - Active optical fail-open bypass on Ports 5-8. Ports support 10GE Short-Range, Multi-Mode fiber only, with LC connectors. 10GE transceivers are built-in to the chassis.

  • FortiDDoS-1500F-LR - Active optical fail-open bypass on Ports 5-8. Ports support 10GE Long-Range, Single Mode fiber only, with LC connectors. 10GE transceivers are built-in to the chassis.

  • FortiDDoS-2000F - Passive optical fail-open bypass ports support two fail-open links when cross-connected to any two port pairs from 1-2 or 3-4 (10GE) and/or from 5-6 or 7-8 (40GE). Transceivers in ports 1-8 must be 10GE or 40GE, Single Mode fiber only, with LC connectors. The bypass ports will support any DR, LR, ER or ZR transceiver using 1310 or 1550nm optics.

  • FortiDDoS-3000F - Passive optical fail-open bypass ports support two fail-open links when cross-connected to any two port pairs from 1-2 or 7-8 (40GE/100GE) and/or from 3-4 or 5-6 (10GE). Transceivers in ports 1-8 must be 10GE, 40GE or 100GE, Single Mode fiber only, with LC connectors. The bypass ports will support any DR, LR, ER or ZR transceiver using 1310 or 1550nm optics.

  • All other ports on any F-Series model do not support fail-open. An external bypass bridge/switch is required if extra fail-open ports are needed.

You can use the Global Protection > Deployment > Deployment tab to configure the internal bypass mechanism to fail open or fail closed for F-Series appliances.

By default, the interfaces are configured to fail open. This means that under failure conditions the interfaces pass traffic through without performing any monitoring or prevention tasks. Packets that arrive at ingress ports are simply transferred to the corresponding egress ports, just like a wire or optical cable.

If you use an external bypass solution, configure the interfaces to fail closed. This means traffic is not forwarded through the interfaces when FortiDDoS fails. An external bypass system detects the outage and routes traffic around the FortiDDoS.

If you deploy an active-passive cluster, configure the interfaces on the Primary node to fail closed so the adjacent switches can select the secondary node. The secondary unit can be set to fail closed or fail open, depending on how you want to handle the situation if both FortiDDoS nodes are down.

The table below summarizes bypass behavior for a sequence of system states. During boot up, system processes are started. When boot up is complete the appliance exits the bypass state. Traffic is routed through the system, is monitored, and policies enforced.

In the event of failure, manual or system-caused reboot, system processes are unavailable because they are either being restarted or shut down, and the appliance enters the bypass state.

System state and bypass

User Option State 1 Power Off State 2 Just Powered Up State 3 Boot Up Process State 4 System Ready State 5 Failure or Reboot State 6 Power Off
Fail Open Bypass Bypass Bypass Traffic Processed Bypass Bypass
Fail Closed Closed Closed Closed Traffic Processed Closed Closed

In addition to the automatic bypass settings, the following models support manual bypass with the following CLI command:

execute bypass-traffic {enable | disable}

This command forces the appliance interfaces to fail open. This command does not have an option to force a fail closed.

Note: If you use the CLI command to initiate bypass, you must use the CLI command to disable that state.

Use carefully since there is currently no status check to confirm the bypass state.

The manual bypass-traffic enable state is not persistent after reboot. If the appliance is rebooted, it will return inline.

Previous
Next